Solved: Re: Cascaded search with tabular data

drodman29 · ‎04-30-2014

Given a normal http log I want to be able to use the tabular data (or list) from one search as criteria in a second search.
1) Search host=a or host=b and uri=c | chart count by clientip
2) Search host=a and uri=d and {list of clientIPs from search 1} | chart count by user

I feel sure I'm missing some trick...

lguinn2 · ‎04-30-2014

This is very easy in Splunk

host=a AND uri=d [ search  host=a OR host=b AND uri=c | fields clientip  | dedup clientip ]
| chart count by user

The part between the brackets [] is called a subsearch. The results of the subsearch are substituted into the outer search string. Use the "search job inspector" if you want to see the intermediate step!

BTW, there are limits to the subsearch. But if your subsearch returns less than a thousand results, you should be fine.

HTH

View solution in original post

lguinn2 · ‎04-30-2014

This is very easy in Splunk

host=a AND uri=d [ search  host=a OR host=b AND uri=c | fields clientip  | dedup clientip ]
| chart count by user

The part between the brackets [] is called a subsearch. The results of the subsearch are substituted into the outer search string. Use the "search job inspector" if you want to see the intermediate step!

BTW, there are limits to the subsearch. But if your subsearch returns less than a thousand results, you should be fine.

HTH

drodman29 · ‎06-13-2014

Subsearch worked great.

Cascaded search with tabular data

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!